On Thu, 4 Dec 2003, Etienne Goyer wrote: > Because our 60K+ users base use a hodgepodge of IMAP client over which > we have no control. I am not quit sure our webmail (IMP) could be made to > authenticate via Kerberos either.
Our webmail (squirrelmail) is doing kerberos authentication. We gutted the authentication part of squirrelmail and instead launch a persistant imtest process, which squirrelmail connects to instead (this was relatively easy to do, actually -- most of the changes that were required were in imtest). This also has the benefit of caching authentications (like a proxy), since successive page hits just re-use the same imtest process. The trick is that you need to get the user's kerberos ticket to the web server, which we accomplish via a system known as pubcookie, which has been developed by a few universities. Its sort of like kerberos-via-cookies, though the kerberos ticket passing bit is somewhat disconnected from the main system. -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
